A crucial distant code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited within the wild, enabling attackers to take over servers with a easy PUT request.
Hackers are reportedly leveraging proof-of-concept (PoC) exploits that have been revealed on GitHub simply 30 hours after the flaw was disclosed final week.
The malicious exercise was confirmed by Wallarm security researchers, who warned that conventional security instruments fail to detect it as PUT requests seem regular and the malicious content material is obfuscated utilizing base64 encoding.
Particularly, the attacker sends a PUT request containing a base64-encoded serialized Java payload saved to Tomcat’s session storage.
The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, forcing Tomcat to deserialize and execute the malicious Java code, granting full management to the attacker.
The assault doesn’t require authentication and is brought on by Tomcat accepting partial PUT requests and its default session persistence.
“This assault is lifeless easy to execute and requires no authentication,” explains Wallarm.
“The one requirement is that Tomcat is utilizing file-based session storage, which is frequent in lots of deployments. Worse, base64 encoding permits the exploit to bypass most conventional security filters, making detection difficult.”
The Tomcat RCE
The CVE-2025-24813 distant code execution vulnerability flaw was first disclosed by Apache on Monday 10, 2025, impacting Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98.
The security bulletin warned customers that, below sure circumstances, an attacker might view or inject arbitrary content material on security-sensitive recordsdata.
The circumstances have been the next:
- Writes enabled for the default servlet (readonly= “false”) — (Disabled by default)
- Help for partial PUT is enabled (Enabled by default.)
- Safety-sensitive uploads happen in a sub-directory of a public add listing.
- The attacker is aware of the names of security-sensitive recordsdata being uploaded.
- These security-sensitive recordsdata are being uploaded utilizing partial PUT.
Apache advisable that every one customers improve to Tomcat variations 11.0.3+, 10.1.35+, or 9.0.99+, that are patched towards CVE-2025-24813.
Tomcat customers might also mitigate the issue by reverting to the default servlet configuration (readonly= “true”), turning off partial PUT assist, and avoiding storing security-sensitive recordsdata in a subdirectory of public add paths.
Wallarm warns that the larger concern highlighted on this case is not the exploitation exercise itself however the potential for extra RCE vulnerabilities arising from the partial PUT dealing with in Tomcat.
“Attackers will quickly begin shifting their ways, importing malicious JSP recordsdata, modifying configurations, and planting backdoors exterior session storage. That is simply the primary wave,” cautioned Wallarm.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend towards them.
